I've been attacked! Malwarebytes no longer working. Please help

[CBMatt]

No worries; I understand.  Things are looking a little better, but one of the infections has spread somewhat.  It's not doing a lot of damage right now, but we still want to get rid of it, of course.


Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
cgwc
fpinlgk
inyiqiv
lpvlpm
lqel
pjqefld
rpwlfydw
rxium
weolfr
xxgy

File::
c:\windows\Hdofuviyakidalos.dat
c:\windows\Jgilupewadag.bin
c:\windows\uyomodoruvoz.dll
c:\windows\system32\drivers\admvgxwb.sys
c:\windows\system32\drivers\xnpj.sys
c:\windows\system32\drivers\kcsmpoxa.sys
c:\windows\system32\drivers\sqxof.sys
c:\windows\system32\drivers\hflfdgs.sys
c:\windows\system32\drivers\gczmyi.sys
c:\windows\system32\drivers\mfmbtf.sys
c:\windows\system32\drivers\qjnb.sys
c:\windows\system32\drivers\fqff.sys
c:\windows\system32\drivers\bwnabzzh.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kbozaqawicoziqow"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply, along with a new HijackThis log.

Note: Do not click ComboFix's window while it is running. That may cause your system to freeze

[mims24]

Ok CBMatt, here is the new Combo log

ComboFix 09-10-04.01 - Mike 10/05/2009 19:34.3.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3323.2758 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

FILE ::
"c:\windows\Hdofuviyakidalos.dat"
"c:\windows\Jgilupewadag.bin"
"c:\windows\system32\drivers\admvgxwb.sys"
"c:\windows\system32\drivers\bwnabzzh.sys"
"c:\windows\system32\drivers\fqff.sys"
"c:\windows\system32\drivers\gczmyi.sys"
"c:\windows\system32\drivers\hflfdgs.sys"
"c:\windows\system32\drivers\kcsmpoxa.sys"
"c:\windows\system32\drivers\mfmbtf.sys"
"c:\windows\system32\drivers\qjnb.sys"
"c:\windows\system32\drivers\sqxof.sys"
"c:\windows\system32\drivers\xnpj.sys"
"c:\windows\uyomodoruvoz.dll"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Hdofuviyakidalos.dat
c:\windows\Jgilupewadag.bin
c:\windows\uyomodoruvoz.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CGWC
-------\Legacy_FPINLGK
-------\Legacy_INYIQIV
-------\Legacy_LPVLPM
-------\Legacy_LQEL
-------\Legacy_PJQEFLD
-------\Legacy_RPWLFYDW
-------\Legacy_RXIUM
-------\Legacy_WEOLFR
-------\Legacy_XXGY
-------\Service_cgwc
-------\Service_fpinlgk
-------\Service_inyiqiv
-------\Service_lpvlpm
-------\Service_lqel
-------\Service_pjqefld
-------\Service_rpwlfydw
-------\Service_rxium
-------\Service_weolfr
-------\Service_xxgy


(((((((((((((((((((((((((   Files Created from 2009-09-05 to 2009-10-05  )))))))))))))))))))))))))))))))
.

2009-10-05 23:33 . 2009-10-05 23:34   --------   d-----w-   C:\32788R22FWJFW
2009-09-27 21:55 . 2009-09-27 21:55   --------   d-----w-   c:\documents and settings\Heather\Local Settings\Application Data\{7C57F359-DCD5-4829-A18F-24C46AF9A74E}
2009-09-27 00:01 . 2009-09-27 00:01   --------   d-----w-   c:\documents and settings\Mike\Local Settings\Application Data\Citrix
2009-09-27 00:01 . 2009-09-27 00:01   103720   ----a-w-   c:\documents and settings\Mike\GoToAssistDownloadHelper.exe
2009-09-25 18:00 . 2009-09-25 18:00   --------   d-----w-   C:\My Music
2009-09-25 17:00 . 2009-09-25 17:00   --------   d-----w-   c:\program files\Common Files\xing shared
2009-09-25 17:00 . 2009-09-25 17:00   --------   d-----w-   c:\program files\real
2009-09-23 04:43 . 2009-09-10 18:54   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 04:43 . 2009-09-23 04:43   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-09-23 04:43 . 2009-09-10 18:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-09-23 04:12 . 2009-09-23 04:12   --------   d-----w-   c:\documents and settings\Mike\Local Settings\Application Data\{13185E59-E9FA-4277-B5BA-D271999892E3}
2009-09-22 06:36 . 2009-09-22 06:36   --------   d-----w-   c:\program files\Trend Micro
2009-09-22 05:22 . 2009-09-22 05:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 05:22 . 2009-09-23 04:31   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-09-22 05:22 . 2009-09-22 05:22   --------   d-----w-   c:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com
2009-09-20 18:26 . 2009-09-20 18:26   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-09 08:00 . 2009-06-21 21:44   153088   -c----w-   c:\windows\system32\dllcache\triedit.dll
2009-09-05 23:45 . 2009-09-05 23:45   --------   d-----w-   c:\documents and settings\Mike\Application Data\YouSendIt
2009-09-05 23:45 . 2009-09-05 23:45   --------   d-----w-   c:\program files\YouSendIt
2009-09-05 23:44 . 2009-09-05 23:44   --------   d-----w-   c:\windows\Downloaded Installations
2009-09-05 23:44 . 2009-09-05 23:44   --------   d-----w-   c:\program files\WinPcap
2009-09-05 23:43 . 2009-09-05 23:43   --------   d-----w-   c:\windows\Replay Converter 3
2009-09-05 23:43 . 2009-09-11 08:13   --------   d-----w-   c:\program files\Replay AV 8

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 23:26 . 2008-11-06 22:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2009-10-05 01:23 . 2008-11-02 20:26   189184   ----a-w-   c:\windows\system32\PnkBstrB.exe
2009-10-05 00:25 . 2009-01-10 16:38   138064   ----a-w-   c:\windows\system32\drivers\PnkBstrK.sys
2009-09-25 17:00 . 2009-03-09 08:34   --------   d-----w-   c:\program files\Common Files\Real
2009-09-25 17:00 . 2003-03-19 00:14   499712   ----a-w-   c:\windows\system32\msvcp71.dll
2009-09-22 05:53 . 2008-10-20 07:49   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-09-19 22:53 . 2008-02-06 16:42   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-09-18 18:40 . 2009-09-20 16:47   20780477   ----a-w-   c:\program files\PROCESSLIST.DB
2009-09-18 18:40 . 2009-09-20 16:47   1230109   ----a-w-   c:\program files\PROCESSLISTRELATED.DB
2009-09-11 08:16 . 2009-06-01 04:56   --------   d-----w-   c:\program files\iWin Games
2009-09-05 23:45 . 2008-11-09 17:50   --------   d-----w-   c:\program files\Replay Music 3
2009-09-05 23:40 . 2008-08-28 21:11   323584   ----a-w-   c:\windows\system32\AUDIOGENIE2.DLL
2009-08-21 20:34 . 2008-08-03 05:06   --------   d-----w-   c:\program files\Common Files\DVDVideoSoft
2009-08-21 20:34 . 2008-08-03 05:06   --------   d-----w-   c:\program files\DVDVideoSoft
2009-08-07 07:13 . 2008-06-04 01:41   --------   d-----w-   c:\documents and settings\Mike\Application Data\LimeWire
2009-08-05 09:01 . 2008-02-05 22:39   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
2009-07-29 03:40 . 2009-01-10 16:37   75064   ----a-w-   c:\windows\system32\PnkBstrA.exe
2009-07-17 19:01 . 2008-02-05 22:39   58880   ----a-w-   c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-02-05 22:39   286208   ----a-w-   c:\windows\system32\wmpdxm.dll
2008-08-11 05:08 . 2008-08-11 05:08   978396   ----a-w-   c:\program files\BDAXP.cab
2008-06-30 17:44 . 2008-08-30 06:45   324976   ----a-w-   c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-08-13 23:02 . 2008-08-13 23:02   35840   ----a-w-   c:\program files\mozilla firefox\components\FFComm.dll
.

(((((((((((((((((((((((((((((   SnapShot@2009-09-22_06.20.05   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-16 20:58 . 2009-09-23 12:17   57344              c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\texticon.exe
- 2008-09-16 20:58 . 2009-08-07 15:48   57344              c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\texticon.exe
- 2008-09-16 20:58 . 2009-08-07 15:48   22486              c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\register_icon.exe
+ 2008-09-16 20:58 . 2009-09-23 12:17   22486              c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\register_icon.exe
+ 2008-09-16 20:58 . 2009-09-23 12:17   32768              c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\maintenance_icon.exe
- 2008-09-16 20:58 . 2009-08-07 15:48   32768              c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\maintenance_icon.exe
+ 2008-09-16 20:58 . 2009-09-23 12:17   61440              c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\helpicon.exe
- 2008-09-16 20:58 . 2009-08-07 15:48   61440              c:\windows\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\helpicon.exe
+ 2009-09-25 17:00 . 2009-09-25 17:00   5632              c:\windows\system32\pndx5032.dll
- 2009-03-09 08:34 . 2009-03-09 08:34   5632              c:\windows\system32\pndx5032.dll
- 2009-03-09 08:34 . 2009-03-09 08:34   6656              c:\windows\system32\pndx5016.dll
+ 2009-09-25 17:00 . 2009-09-25 17:00   6656              c:\windows\system32\pndx5016.dll
+ 2009-09-25 17:00 . 2009-09-25 17:00   185920              c:\windows\system32\rmoc3260.dll
- 2009-03-09 08:34 . 2009-03-09 08:34   185920              c:\windows\system32\rmoc3260.dll
- 2009-03-09 08:34 . 2009-03-09 08:34   278528              c:\windows\system32\pncrt.dll
+ 2009-03-09 08:34 . 2009-09-25 17:00   278528              c:\windows\system32\pncrt.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-15 716800]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-11 69632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-25 198160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"VSSERV"=2 (0x2)
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"mi-raysat_3dsMax2009_32"=2 (0x2)
"LIVESRV"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iWinTrusted"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMON"=2 (0x2)
"gusvc"=2 (0x2)
"FlipShare Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Autodesk Licensing Service"=2 (0x2)
"Arrakis3"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"aliasdocserver"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\After Effects 6.5\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\discreet\\cleaner XL\\cleaner XL.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Alias\\Maya6.0\\bin\\mayabatch.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [8/12/2008 6:40 PM 111112]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [7/17/2008 1:06 PM 118784]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S4 aliasdocserver;Alias Documentation Server;c:\program files\Alias\Maya6.0\docs\Wrapper.exe [8/7/2008 3:29 PM 110592]
S4 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [11/13/2008 2:17 PM 439616]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 12:04 AM 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx   REG_MULTI_SZ      scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-06 06:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Block This Image (ABP) - c:\program files\Adblock Pro\blockimg.html
IE: Add to  Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {{E7FD3540-AB30-40f1-91E7-101F733C1FD5} - {7685B225-8229-4321-BA13-A24485B0A760} - c:\program files\Adblock Pro\AdblockPro.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\wikb88jo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre6\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre6\bin\npjpi160_05.dll
FF - plugin: c:\program files\Java\jre6\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {13185E59-E9FA-4277-B5BA-D271999892E3} - c:\documents and settings\Mike\Local Settings\Application Data\{13185E59-E9FA-4277-B5BA-D271999892E3}
FF - HiddenExtension: XULRunner: {7C57F359-DCD5-4829-A18F-24C46AF9A74E} - c:\documents and settings\Heather\Local Settings\Application Data\{7C57F359-DCD5-4829-A18F-24C46AF9A74E}\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 19:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:b5,fe,1f,11,e2,04,7e,b7,fc,0a,c1,20,08,71,d0,02,df,f4,be,19,54,
   08,cb,c2,b3,08,e8,0c,49,3f,c1,02,bf,77,83,4c,ab,64,df,fe,0c,9f,86,a3,db,7d,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:32,49,1f,c5,b7,af,7b,ea,03,22,52,c7,8a,2e,ee,06,b4,cf,43,6a,0e,
   62,7f,57,c9,4e,21,1c,11,d6,1f,1d,93,a9,eb,25,94,7e,07,96,d6,a8,ad,db,1b,65,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3024)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\searchindexer.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2009-10-05 19:47 - machine was rebooted
ComboFix-quarantined-files.txt  2009-10-05 23:46
ComboFix2.txt  2009-09-23 04:39
ComboFix3.txt  2009-09-22 06:26

Pre-Run: 631,884,476,416 bytes free
Post-Run: 631,833,182,208 bytes free

310   --- E O F ---   2009-09-11 04:23

[mims24]

And here is the new HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:47 PM, on 10/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O8 - Extra context menu item: &Block This Image (ABP) - C:\Program Files\Adblock Pro\blockimg.html
O8 - Extra context menu item: Add to  Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra 'Tools' menuitem: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 8486 bytes

[CBMatt]

Great, that looks much better!  Judging by what I can see in these logs, you look clean.  Is everything still running smoothly?  If so, go ahead and uninstall ComboFix.  You can do that by going to Start > Run, typing in combofix /u (note the space before "/u"), and clicking OK.  You can also remove HijackThis.

You should also reset and re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files.  This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• Check Turn off System Restore.
  
• Click Apply, and then click OK.
  
  2. Restart your computer.
  
  3. Turn ON System Restore.
  
• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• UN-Check Turn off System Restore.
  
• Click Apply, and then click OK.
  System Restore will now be active again.
  
  
  Once you've done that, you are good to go.

[mims24]

Ok I deleted the Combo fix and HiJackThis, and did the System Restore.
Thank you very very much Matt, and yes my computer has never felt more smooth- it feels like new, what an awesome feeling right? (whew!)

Take care and god bless,

Mike.

[CBMatt]

Fantastic, I'm glad everything is going well.  Take care!